The same day Apple released its latest macOS Mojave operating system, a security researcher demonstrated a potential way to bypass new privacy implementations in macOS using just a few lines of code and access sensitive user data.
On Monday, Apple started rolling out its new macOS Mojave 10.14 operating system update to its users, which includes a number of new privacy and security controls, including authorization prompts.
Mojave 10.14 now pops up authorization prompts that require direct and real user interaction before any unprivileged third-party application can tap into users’ sensitive information, such as address books, location data, message archives, Mail, and photos.
Patrick Wardle, an ex-NSA hacker and now chief research officer at Digita Security, discovered a zero-day flaw that could allow an attacker to bypass authorization prompts and access users’ personal information by using an unprivileged app.
Wardle tweeted a video Monday showing how he was able to bypass the permission requirements on a dark-themed Mojave system by running just a few lines of code simulating a malicious app called “breakMojave,” which allowed him to access to the address book and copy it to the macOS desktop.
However, Wardle goes on to say that not just Mojave’s Dark Mode, but all modes are affected by the privacy bypass vulnerability.
“Mojave’s ‘dark mode’ is gorgeous…but its promises about improved privacy protections? kinda #FakeNews,” Wardle
tweeted with a link to a minute-long Vimeo video.
Well, the privacy bypass flaw in Mojave seems to be concerning due to its simplicity of carrying out personal data pilfering, with no permissions required.
It should be noted that the flaw does not work with all of the new privacy protection features implemented by Apple in macOS Mojave, and hardware-based components, like the webcam and microphone, are not affected.
Since there is no public macOS bounty program to report the vulnerabilities, Wardle said on Twitter that he’s still looking for a way to report the flaw to Apple.
Wardle has not released details beyond just the proof-of-concept video until the company patches the issue in order to prevent abuse. Until then, Mojave users are recommended to be cautious about what apps they run.
Wardle is set to release more technical details of the vulnerability in his upcoming Mac Security conference in November.
Last month, Wardle publicly disclosed a different macOS zero-day flaw that could allow a malicious application installed on a targeted Mac system running Apple’s High Sierra operating system to virtually “click” objects without any user interaction or consent, leading to full system compromise.